(19). 



J 



Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 



(12) 



(1D EP 0 887 723 A2 

EUROPEAN PATENT APPLICATION 



(43) 


Date of publication: 


(51) Intel. 6 : G06F 1/00, G06F 12/14 




30.12.1998 Bulletin 1998/53 


(21) 


Application number: 98304044.5 




(22) 


Date of filing: 21.05.1998 




(84) 


Designated Contracting States: 


• Urda, John William 




AT BE CH CY DE DK ES Fl FR GB GR IE IT LI LU 


Endwell, New York 13760 (US) 




MC NL PT SE 


• Lam, Wai Man 




Designated Extension States: 


Mohegan Lake, New York 10547 (US) 




AL LT LV MK RO SI 


• Kouloheris, Jack Lawrence 






Ossining, New York 10562 (US) 


(30) 


Priority: 24.06.1997 US 881139 


• Fetkovich, John Edward 




Endicott, New York 13760 (US) 


(71) 


Applicant: INTERNATIONAL BUSINESS 






MACHINES CORPORATION 


(74) Representative: Boyce, Conor 




Armonk, NY 10504 (US) 


IBM United Kingdom Limited, 






Intellectual Property Law, 


(72) 


Inventors: 


Hursley Park 


• 


Clacelll, Mark Louis 


Winchester, Hampshire S021 2JN (GB) 




Endicott, New York 13760 (US) 





(54) Apparatus, method and computer program product for protecting copyright data within a 
computer system 



(57) Apparatus, method and computer program 
product are provided for digitally processing an encrypt- 
ed data stream scrambled, for example, according to 
content scrambling system (CSS) technology. This dig- 
ital processing insures against communication of clear 
data within the computer system from a central process- 
ing unit (CPU) to any accessible structure, such as 
memory or a system bus. Descrambling of the (CSS) 
scrambled data stream occurs within a module execut- 



ing on the CPU, which is followed by re-encryption of 
the data prior to transfer from the CPU. By so processing 
the data, integrity of copyrighted material is maintained, 
while allowing for software descrambling of the CSS en- 
crypted data stream. Various techniques for establish- 
ing the encryption/decryption algorithm pair employed 
are described. Decryption of the re-encrypted data can 
occur at a receiving software module and/or a receiving 
hardware device, such as a decoder. 
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Description 

The present invention relates In general to appara- 
tus and method for protecting digital video/audio data 
and, more particularly, to an apparatus, method and 
computer program product for encryption/decryption of 
data within a computer system for communication from 
a CPU to an accessible internal structure, such as mem- 
ory or a bus, without exposing the data in unscrambled 
form at the accessible structure. 

Within the past decade, the advent of world-wide 
electronic communications systems has enhanced the 
way in which people can send and receive information. 
In particular, the capabilities of real-time video and audio 
systems have greatly improved in recent years. In order 
to provide services such as video-on-demand, video 
conferencing, and digital video disc (DVD) motion pic- 
tures, an enormous amount of bandwidth is required. In 
fact, bandwidth is often the main inhibitor in the effec- 
tiveness of such systems. 

In order to overcome the constraints imposed by ex- 
isting technology, compression systems have emerged. 
These systems reduce the amount of video and audio 
data which must be transmitted by removing redundan- 
cy in the picture sequence. At the receiving end, the pic- 
ture sequence is uncompressed and may be displayed 
in real time. 

One example of an emerging video compression 
standard is the Moving Picture Experts Group ("MPEG") 
standard. Within the MPEG standard, video compres- 
sion is defined both within a picture and between pic- 
tures. Video compression within a picture is accom- 
plished by conversion of the digital image from the time 
domain to the frequency domain by a discrete cosine 
transform, quantization, variable length coding, and 
Huffman coding. Video compression between pictures 
is accomplished via a process referred to as "motion es- 
timation", in which a motion vector plus difference data 
is used to describe the translation of a set of picture el- 
ements from one picture to another. The ISO MPEG2 
standard specifies only the syntax of bitstream and se- 
mantics of the decoding process. The particular choice 
of coding parameters and tradeoffs in performance ver- 
sus complexity is left to the system developers. 

Digital Versatile Disc (DVD) is an emerging technol- 
ogy which due to its nature, requires extensive encryp- 
tion in order to protect the data, such as a motion picture, 
against unauthorized copying. 

DVD is a specification for the content of video, audio 
and other compressed data to be used as playback vid- 
eo, audio and, for example, subtitle data by a DVD de- 
coder. The DVD video data is specified in the Moving 
Picture Experts Group (MPEG) standard (ISO/IEC 
1 38 1 8-2). As well as being represented by this standard, 
the data is also encrypted using the industry's Content 
Scrambling System (CSS), which produces an encrypt- 
ed, encoded data stream for DVD playback. The data 
stream can be decrypted by hardware licensed to per- 



form CSS decryption. Conventionally, CSS decryption 
occurs at a PCI card, which also conventionally includes 
MPEG decompression of the. encrypted, encoded data 
signal. 

5 The present invention is directed in one particular 
aspect to improving upon this conventional DVD 
processing of the encrypted, encoded data stream. 

Briefly summarized, this invention comprises in a 
first aspect apparatus for processing a scrambled data 
io stream within a computer system as claimed in claim 1 . 
In another aspect, apparatus is provided for 
processing a data stream within a computer system ac- 
cording to claim 12. 

various enhancements to each of the aspects sum- 
15 marized above are also described and claimed. In ad- 
dition, corresponding methods and computer program 
products are presented and claimed. 

To restate, in accordance with this invention clear 
data, whether compressed or uncompressed, is not al- 
20 lowed to be resident in an accessible computer system 
structure, such as a host memory buffer or system bus 
to prevent theft of the clear data. The invention is par- 
ticularly applicable to MPEG encoded and CSS encrypt- 
ed video data such as employed by digital video disc 
25 (DVD) technology. The decryption techniques present- 
ed herein allow for subsequent changes, for example, 
through the flexibility of downloading new microcode, of 
an encryption/dec ryption algorithm pair. In addition, the 
particular scrambling/desc rambling algorithm employed 
30 may vary. The concept is to initiate the desc rambling 
process by host software, resc ramble the data at the 
central processing unit using a different encryption tech- 
nique, and then complete the descrambling at the re- 
ceiving module, whether the receiving module compris- 
es es an additional software module executing on the cen- 
tral processing unit or a receiving hardware device, such 
as a decoder resident on a system bus coupled to the 
central processing unit. The rescrambling subsequent 
to primary software descrambling of the received en- 
40 crypted data may be complete or partial. At the receiving 
module, the rescrambled data can be decrypted for dis- 
play, output via an audio card, or undergo further 
processing. 

An embodiment of the invention will now be de- 
45 scribed with reference to the accompanying drawings, 
in which: 

Fig. t depicts one embodiment of a computer sys- 
tem employing encryption/decryption apparatus in 
so accordance with the present invention; 

Fig. 2 is a flowchart of one embodiment for accom- 
plishing encryption/decryption processing in ac- 
cordance with the present invention; 

55 

Fig. 3 is a block diagram of one embodiment for up- 
dating keys within the encryption and decryption 
modules and/or devices of an apparatus in accord- 
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ance with the present invention; and 

Fig. 4 is a representation of one embodiment of 
DVD disc data stream processing using microcode 
in accordance with the present invention. 

Generally stated, the present invention comprises 
an apparatus, method and computer program product 
for processing a data stream scrambled, for example, 
by employing content scrambling system (CSS) tech- 
nology. As one aspect, the invention comprises de- 
scrambling a received CSS encrypted signal at a central 
processing unit without subsequently exposing a clear 
copy of the descrambled data in any accessible struc- 
ture outside the CPU, such as memory or a system bus. 
This insures that information to be protected, such as 
security data or copyrighted material (herein collectively 
referred to as "copyright data"), will not be exposed at 
a point where illegal copying of the original data stream 
is feasible (e.g., during data transfer) while still allowing 
software descrambling of the CSS encrypted stream. In 
a specific example discussed herein, the encrypted 
stream might also comprise an encoded stream of vid- 
eo/audio data compressed employing the Moving Pic- 
ture Experts Group (MPEG) standard (IOS/IEC 
13818-2). 

In accordance with the present invention, a primary 
software module within a central processing unit con- 
ducts CSS descrambling and then encrypts the data 
stream using a selected encryption/decryption algo- 
rithm before sending any copyright data to a software 
module and/or hardware device outside the CPU, for ex- 
ample, through memory or a system bus. The external 
software module and/or hardware device receiving the 
re-encrypted data stream then decrypts the stream and 
processes it, e.g., for display in the case of video data 
or output to an audio card in the case of audio data. 

Briefly summarized, the processing involved herein 
includes determining at the primary software module 
whether data needs to be protected during subsequent 
transmission from the computer system's CPU. If "yes", 
then the primary module communicates to the software 
module and/or hardware device ultimately to receive the 
stream of data to establish an encryption/decryption al- 
gorithm pair. This communication may involve down- 
loading the decryption algorithm into the receiving soft- 
ware module and/or hardware device or signalling the 
decrypting software/hardware which decryption algo- 
rithm from a plurality of predefined encryption/decryp- 
tion algorithm pairs is to be used. The primary module 
uses the selected encryption algorithm to re-encrypt the 
descrambled data for transfer through any accessible 
structure, such as memory and/or system buses, to the 
receiving software module and/or hardware device 
which is to accomplish the final decryption. The receiv- 
ing module, which may also be located within the central 
processing unit, then decrypts the data and performs 
conventional processing thereon. As an alternative ex- 



ample, the re-encrypted data from the central process- 
ing unit may be sent through system memory and/or a 
system bus to a video decoder for descrambling and 
then decoding of the data, e.g., for display. 
5 Fig. 1 depicts one embodiment of a computer sys- 
tem to employ apparatus in accordance with the present 
invention. A primary software module 10 and a second- 
ary (or receiving) processing software module 20 are 
each executed within the computer system's central 
processing unit (CPU). A processing unit hardware de- 
vice 30 (such as a decoder) resides on one of the buses 
26 of the computer system. Communication between 
primary software module 10 and software module 20 
and/or processing hardware 30 requires data transfer 
through memory 25 and/or system bus 26, both located 
outside the CPU 1 1 . Software module 1 0 contains a data 
processing module 21 and an encryption module 22. 
Data processing module 21 comprises any conventional 
processing to be done to the data stream, and in accord- 
ance with the present invention, also includes descram- 
bling (such as CSS descrambling) of a received encrypt- 
ed, original data stream. Processing module 20 contains 
a decryption module 23 and a processing module 24, 
while processing hardware device 30 includes a decryp- 
tion device 27 and a data processing device 28. 

Original data arrives at the central processing unit 
1 1 , for example, from an external storage device or from 
a computer system network. This data may contain a 
portion which needs to be protected from illegal copying. 
This portion is denoted "copyright data" herein to distin- 
guish it from the original data. If the entire original data 
needs to be protected, then the copyright data is equiv- 
alent to the original data. The original data is first trans- 
ferred to the input of module 10 for processing by data 
processing 21 . Again, for example, this may include de- 
scrambling of CSS encrypted original data. The identi- 
fied copyright data is then re-encrypted by encryption 
module 22 using a different encryption algorithm, i.e., 
an encryption algorithm other than CSS encryption. The 
original data passing through module 10 can comprise 
an unencrypted data stream or an encrypted data 
stream. In the first case, processing module 21 process- 
es the original data and encryption module 22 performs 
an encryption algorithm to encrypt any copyright data. 
By way of example, the encryption algorithm could be 
of the type described in B. Schneier, Applied Cryptog- 
raphy, John Wiley & Sons Inc., 2nd Ed. (1996). 

In the second case, processing module 21 can de- 
crypt the original data, after which encryption module 22 
would re-encrypt the copyright portion of it using a se- 
lected encryption algorithm, which again can be of the 
type described in Applied Cryptography. This procedure 
is called trans-encryption. Alternatively, processing 
module 21 can choose not to decrypt the original data 
and module 22 could then encrypt on top of the originally 
encrypted copyright data. This procedure is referred to 
as layer-encryption. Advantageously, trans-encryption 
allows the encryption algorithm employed within the 
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computer system in accordance with this invention to be 
different from that employed by the original data, e.g., 
CSS encryption. Layer-encryption allows multiple en- 
cryption algorithms to be employed, thereby enhancing 
security. 

The encrypted copyright data can be transferred to/ 
through system memory 25 and/or system bus 26 for 
ultimate receipt by secondary processing module 20 
and/or processing hardware device 30. As noted above, 
module 20 has a decryption module 23 and a data 
processing module 24, while hardware device 30 con- 
tains a decryption device 27 and a data processing de- 
vice 28. Decryption module 23 and/or device 27 de- 
crypts the data encrypted by encryption module 22. The 
decrypted data is then processed by the data process- 
ing module 24 and/or data processing device 28, re- 
spectively. 

The encryption/decryption algorithm pair employed 
by encryption module 22 and decryption module 23 
(and/or device 27) can be a default algorithm pair pre- 
defined in the design stage of modules 10 & 20 and/or 
hardware device 30. Alternatively, the algorithm pair can 
be a downloadable algorithm. 

For example, there can be multiple encryption algo- 
rithms built into encryption module 22 and multiple de- 
cryption modules built into decryption module 23 and/or 
decryption device 27. Only one matched pair will be 
used at any given time. Before encryption, the encryp- 
tion module 22 sends a signal to module 23 and/or de- 
vice 27 to notice them which particular algorithm module 
22 will employ. This signal can be in the form of a soft- 
ware parameter, or a software or a hardware interrupt. 
The decryption module 23 and/or decryption device 27 
then employs the corresponding decryption algorithm of 
the selected encryption/decryption algorithm pair. Since 
no actual algorithm content is passed between the mod- 
ules and devices, the actual encryption algorithm em- 
ployed will not be known unless reverse engineering is 
performed within the software modules and/or the hard- 
ware devices. 

Alternatively, encryption module 22 and decryption 
module 23 (or decryption device 27) can be predefined 
at the design stage to include a resident encryption/de; 
crypt ion routine. Before encryption, module 22 would 
decide on an actual encryption and decryption algorithm 
pair to be used. Module 22 would use the resident en- 
cryption algorithm to encrypt the actual decryption rou- 
tine of the selected algorithm pair to be used by the de- 
cryption module 23 and/or decryption device 27. The en- 
cryption module 22 then transmits the encrypted version 
of the actual decryption algorithm to module 23 and/or 
device 27. Upon receipt of this information, the decryp- 
tion module 23 and/or device 27 employs the resident 
decryption algorithm to decrypt the downloaded decryp- 
tion algorithm. Module 23 then uses the descrambled 
decryption algorithm as a procedure call, while device 
27 could load the algorithm into a programmable circuit 
within device 27. After completing downloading of the 



actual decryption algorithm, module 22 uses the actual 
encryption algorithm to encrypt the data, and module 23 
and/or device 27 employs the downloaded decryption 
routine to decrypt the data. If an update of the encryp- 
5 tion/decryption routine is desired, then a different en- 
cryption/decryption algorithm pair is selected and en- 
cryption module 22 downloads the corresponding de- 
cryption algorithm into the decryption module 23 and/or 
decryption device 27. 
10 After decryption is performed, the receiving data 
processing module 24 and/or device 28 performs any 
required data processing, such as MPEG decoding of a 
clear, compressed video/audio data signal. 

Fig. 2 depicts a flowchart of one embodiment of 
15 processing to establish encryption and decryption pro- 
cedures to secure the data in accordance with the 
present invention using the apparatus of Fig. 1 . This 
processing flow is started when original data enters the 
input of software module 10 (Fig. 1). Module 10 initially 
20 determines whether the received data needs to be pro- 
tected 50. If "no - , then module 22 communicates the da- 
ta directly to secondary module 20 and/or device 30 at 
step 60. For example, in a DVD application, module 10 
can examine the Copy Generation Management Sys- 
25 tern (CGMS) data. If the received data needs to be pro- 
tected, then at step 51 processing communicates from 
module 22 to decryption module 23 and/or decryption 
device 27 that decryption is needed prior to use of the 
data. 

30 Next, processing determines whether a decryption 
algorithm needs to be downloaded (step 52). If "no", 
meaning that a default decryption algorithm is to be 
used, processing proceeds directly to step 54. Other- 
wise, the algorithm is downloaded into decryption mod- 
35 ule 23 and/or decryption device 27 at step 53. 

After establishing the decryption algorithm, encryp- 
tion module 22 communicates a key to decryption mod- 
ule 23 and/or decryption device 27 (step 54), and uses 
the key and the encryption algorithm to encrypt the cop- 
40 yright data (step 55). The encrypted key and encrypted 
data can be sent as a single bitstream, or separately, to 
module 23 and/or device 27 by way of system memory 
and/or a system bus. At step 56, the decryption module 
23 and/or decryption device 27 uses the chosen or the 
45 downloaded algorithm to decrypt the data. Module 22 
then determines whether the encryption key should be 
updated 57. If "no", the encryption and decryption 
processing steps 55 & 56 are repeated. If desired, the 
same encryption key can be used until the end of the 
50 data stream transmission. Otherwise, return is made to 
step 54 for communication of a new encryption key to 
module 23 and/or device 27. 

Fig. 3 depicts one embodiment of apparatus/ 
processing for updating encryption keys pursuant to 
55 steps 54 through 57 of Fig. 2. Within module 22 there is 
a key generation module 79, a key encryption module 
80, a data encryption module 81 and a data multiplexer 
module 82. Key generation module 79 generates an 
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original key which is encrypted by module 80 and also 
used by module 81 to encrypt the original data. Data 
multiplexer 82 combines the encrypted key and the en- 
crypted data into one data stream, which is then trans- 
mitted through memory and/or system bus 83 to the de- 
cryption module 23 and/or decryption device 27. The de- 
cryption module 23 and decryption device 27 contains 
a data demultiplexer module/device 84, a key decryp- 
tion module/device 85 and a data decryption module/ 
device 86. The data demultiplexer module/device 84 de- 
couples the received data stream into the encrypted da- 
ta and the encrypted key. The key is then decrypted by 
key decryption module/device 85 to produce the original 
key. Data decryption module 86 uses the original key to 
decrypt the encrypted data. 

Fig. 4 depicts a further embodiment of processing 
in accordance with the present invention. In this embod- 
iment, rescramblingof the data stream is employed after 
CSS decryption, along with subsequent descrambling 
of the re-encrypted stream prior to decompression de- 
coding in a decoder chip. The processings described 
are preferably accomplished within on-chip microcode. 

More particularly, a bit stream is read from a DVD 
disc 100 into a host processor 110 where a central 
processing unit conducts DVD descrambling using li- 
censed DVD keys 112. An optional tamper resistance 
algorithm 114 can be employed to protect the subse- 
quent encryption process. The clear, encoded bit stream 
is then rescrambled 116 using any available encrypting/ 
decrypting algorithm, i.e., other than CSS encoding. 
This rescrambled data is delivered to the decoder, for 
example, an MPEG video decoder 128. Descrambling 
occurs within decoder 128 subsequent to a microcode 
load 124 containing the corresponding bit stream de- 
scrambling microcode. The exact portions of the stream 
which are scrambled and then descrambled, as well as 
the algorithm used, may vary from release to release of 
the code. The data stream may comprise an MPEG vid- 
eo data stream 118 wherein in one embodiment one or 
more fields of each picture 1 20 are scrambled in accord- 
ance with bit stream rescramble 116 processing such 
that the data stream is at least partially re-encrypted 
subsequent to the DVD descrambling processing 112. 
A decryption key 1 22 as well as the microcode load 1 24 
are sent along with the video data stream to bit stream 
descramble logic 126 within the video decoder 128. 

Those skilled in the art will note from the above dis- 
cussion that'in accordance with this invention, clear data 
(uncompressed or compressed) is never resident in an 
accessible computer system structure, such as a host 
memory buffer or system bus, thereby inhibiting theft of 
the clear data. The invention is particularly applicable to 
MPEG encoded and CSS encrypted video data such as 
employed by digital video disc technology. The decryp- 
tion techniques presented herein allow for subsequent 
changes, e.g., through the flexibility of new microcode 
loads, of a decryption algorithm which may have been 
broken. In addition, the particular scrambling/descram- 



bling algorithm employed by the rescrambling technique 
of the present invention may vary. The concept is to be- 
gin the descrambling process by host software, re- 
scramble the data at the CPU using a different encryp- 

s tion technique, and then complete the descrambling at 
the receiving module, whether the receiving module 
comprises an additional software module or a receiving 
hardware device, such as a decoder. The rescrambling 
subsequent to primary software descrambling of the re- 

10 ceived encrypted data may be complete or partial. For 
example, in one embodiment, certain MPEG data can 
be scrambled by the host software. The host would then 
transmit the appropriate descrambling microcode loads 
or a single microcode load with an appropriate key or 

15 keys to the receiving module or receiving hardware de- 
vice. At the receive module, the microcode performs the 
inverse of the scrambling algorithm, used by the host. 
The key may be static or accumulated. 

Further, those skilled in the art will note that the 

20 present invention can be included in an article of man- 
ufacture (e.g., one or more computer program products) 
having, for instance, computer useable media. The me- 
dia has embodied therein, for instance, computer read- 
able program code means for providing and facilitating 

25 the capabilities of the present invention. The articles 
manufactured can be included as part of the computer 
system or sold separately. 

The flow diagrams depicted herein are provided by 
way of example. For instance, in certain cases the steps 

30 may be performed in differing order, or steps may be 
added, deleted or modified. Further, although described 
principally herein with reference to a single primary 
module, a single receiving processing module, and a 
single processing hardware device, multiple modules 

35 and devices of each type may be employed as appara- 
tus in accordance with the present invention. 



Claims 

40 

1 . Apparatus for processing a scrambled data stream 
within a computer system having a central process- 
ing unit (CPU) coupled to receive the scrambled da- 
ta stream, comprising: 

45 

descrambling means within the central 
processing unit for descrambling the received, 
scrambled data stream to produce a clear data 
stream; 

50 

re-encryption means within the central 
processing unit for re-encrypting the clear data 
stream to produce an encrypted data stream, 
wherein said scrambled data stream is pro- 
55 duced from a different encryption algorithm 

than said encrypted data stream; 

means for transferring the encrypted data 
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stream from the central processing unit to a 
second structure of the computer system, said 
second structure being coupled to the CPU; 
and 

decryption means coupled to the second struc- 
ture for receiving the encrypted data stream 
therefrom and for decrypting the encrypted da- 
ta stream to produce said clear data stream, 
wherein said clear data stream is unexposed 
when transferred from the central processing 
unit to said second structure coupled to the 
CPU, while said descrambling means within the 
central processing unit accomplishes descram- 
bling of the received scrambled data stream. 

2. The apparatus of claim 1 , wherein said scrambled 
data stream comprises a scrambled, encoded data 
stream and wherein said apparatus further compris- 
es a decoder coupled to said decryption means for 
decoding a clear, encoded data stream produced 
by said decryption means. 

3. The apparatus of claim 2, wherein said clear, en- 
coded data stream comprises a video data stream 
and wherein said decoder comprises an MPEG vid- 
eo decoder. 

4. The apparatus of claim 2, wherein said scrambled, 
encoded data stream comprises a CSS scrambled, 
MPEG encoded data stream, and wherein said de- 
scrambling means comprises means for CSS de- 
scrambling the scrambled, encoded data stream 
within the CPU and said decoder comprises means 
for MPEG decoding said clear, encoded data 
stream. 

5. The apparatus of claim 2, wherein said decoder 
comprises a decoding hardware device and said 
decryption means resides within said decoding 
hardware device. 

6. The apparatus of claim 1 , wherein said re-encryp- 
tion means further comprises means for providing 
a key for use in re-encrypting the clear data stream, 
and wherein said decryption means includes means 
for employing the key in decrypting the encrypted 
data stream. 



crypted data stream, and wherein said decryption 
means further comprises means for decrypting said 
encrypted key. 

5 8. The apparatus of claim 1 , further comprising means 
for selecting an encryption/decryption algorithm 
pair for-use by said re-encryption means and said 
decryption means. 

10 9. The apparatus of claim 8, wherein said means for 
selecting comprises means for downloading a de- 
cryption algorithm of said selected encryption/de- 
cryption algorithm pair from said re-encrypt ion 
means to said decryption means, said means for 

is downloading including means for encrypting the de- 
cryption algorithm for transfer between the re-en- 
cryption means and the decryption means. 

10. The apparatus of claim 8, wherein said means for 
20 selecting comprises means for selecting said en- 
cryption/decryption algorithm pair from a plurality of 
encryption/decryption algorithm pairs at said re-en- 
cryption means and said decryption means, and 
wherein said means for selecting comprises means 
25 for noticing the decryption means which decryption 
algorithm of said plurality of encryption/decryption 
algorithm pairs corresponds with an encryption al- 
gorithm employed by said re-encryption means. 

30 11. The apparatus of claim 1, wherein said decryption 
means comprises a decryption module disposed 
within the central processing unit, and said second 
structure coupled to the. CPU comprises memory. 

35 12. Apparatus for processing a data stream within a 
computer system having a central processing unit 
(CPU) coupled to receive the data stream, said ap- 
paratus comprising: 

40 encryption means within the CPU for encrypt- 

ing identified copyright data within the data 
stream to produce therefrom encrypted data; 

means for transferring the encrypted data from 
45 the central processing unit to a structure of the 

computer system coupled thereto, wherein said 
copyright data is only transferred from the cen- 
tral processing unit as said encrypted data; and 



7. The apparatus of claim 6, wherein said re-encryp- 50 
tion means further comprises means for encrypting 
said key to produce an encrypted key, and for mul- 
tiplexing the encrypted key and the encrypted data 
stream into a multiplexed data stream for transfer 
to said second structure coupled to the CPU, and 55 
wherein said decryption means further comprises 
means for demultiplexing said multiplexed data 
stream to obtain said encrypted key and said en- 



decryption means coupled to said structure re- 
ceiving the encrypted data, said decryption 
means comprising means for decrypting the 
encrypted data. 

13. The apparatus of claim 12, further comprising 
means for identifying within the central processing 
unit said copyright data of the data stream, said, 
means for identifying providing said identified cop- 
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yright data to said encryption means. 

1 4. The apparatus of claim 1 3, wherein the data stream 
comprises a scrambled, encoded data stream, and 
wherein said apparatus further comprises descram- 
bling means for descrambling the scrambled, en- 
coded data stream within the central processing 
unit to produce a clear, encoded data stream, and 
wherein said means for identifying comprises 
means for examining the clear, encoded data 
stream to identify copyright data for encryption by 
said encryption means. 

1 5. The apparatus of claim 1 2, wherein said decryption 
means comprises a microcode decryption device. 

16. The apparatus of claim 12, wherein said data 
stream comprises a scrambled data stream, and 
wherein said apparatus further comprises means 
for descrambling the scrambled data stream prior 
to said encrypting of the identified copyright data by 
said encryption means, wherein said scrambled da- 
ta stream is produced from a different encryption 
algorithm than said encrypted data produced by 
said encryption means. 

17. The apparatus of claim 12, wherein said encryption 
means further comprises means for providing a key 
for use in said encrypting of the identified copyright 
data and for use by said decryption means for de- 
crypting the encrypted data. 

1 8. The apparatus of claim 1 7, wherein said encryption 
means further comprises means for encrypting said 
key to produce an encrypted key, and for multiplex- 
ing the encrypted key and the encrypted data into 
a multiplexed data stream for transfer to said struc- 
ture coupled to the CPU, and wherein said decryp- 
tion means further comprises means for demulti- 
plexing said multiplexed data stream to obtain said 
encrypted key and said encrypted data, and where- 
in said decryption means further comprises means 
for decrypting said encrypted key. 

19. The apparatus of claim 12, further comprising 
means for selecting an encryption/decryption algo- 
rithm pair for use by said encryption means and said 
decryption means from a plurality of predefined en- 
cryption/decryption algorithm pairs, said selected 
encryption/decryption algorithm pair comprising an 
encryption algorithm and a corresponding decryp- 
tion algorithm, said encryption algorithm being em- 
ployed by said encryption means, and said corre- 
sponding decryption algorithm being employed by 
said decryption means. 

20. A method for processing a scrambled data stream 
within a computer system having a central process- 



12 

ing unit and a structure coupled thereto, said meth- 
od comprising: 

(a) receiving the scrambled data stream at the 
5 central processing unit (CPU); 

(b) descrambling the scrambled data stream 
within a module executing on the central 
processing unit to produce clear data; 

10 

(c) re-encrypting the clear data within the cen- 
tral processing unit, said re-encrypting produc- 
ing at least partially encrypted data; 

is (d) subsequent to said re-encrypting, transfer- 

ring the at least partially encrypted data from 
the central processing unit to a second struc- 
ture of the computer system, said second struc- 
ture being coupled to the central processing 

20 unit; and 

(e) subsequent to said transferring, retrieving 
and decrypting the at least partially encrypted 
data to produce clear data, wherein said clear 
25 data is unexposed when transferred from the 

central processing unit to the structure coupled 
thereto, while said descrambling occurs within 
the module executing on the central processing 
unit, and wherein the scrambled data stream is 
30 produced from a different encryption algorithm 

than employed by said re-encrypting (c) to pro- 
duce said at least partially encrypted data. 

21. A computer program producing comprising a com- 
35 puter usable medium having computer readable 
program code means therein for use in processing 
a scrambled data stream within a computer system 
having a central processing unit and a structure 
coupled thereto, said computer readable program 
40 code means in said computer program product 
comprising: 

computer readable program code means for 
causing a computer to affect receiving of the 
45 scrambled data stream at the central process- 

ing unit and for descrambling the scrambled da- 
ta stream within the central processing unit to 
produce clear data, and for re-encrypting the 
clear data within the central processing unit to 
50 produce at least partially encrypted data; 

computer readable program code means for 
causing a computer to affect transferring of said 
at least partially encrypted data from the central 
55 processing unit to the structure coupled there- 

to; and 

computer readable program code means for 



EP 0 887 723 A2 



25 



50 



7 



13 EP 0 887 723 A2 

causing a computer to affect retrieving of the at 
least partially encrypted data from the structure 
coupled to the CPU and for decrypting the at 
least partially encrypted data, said decrypting 
producing clear data, wherein said clear data 5 
is unexposed when transferred from the central 
processing unit to the structure coupled there- 
to, while said descrambling occurs within the 
central processing unit. 
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